The Transparency Paradox: Why the EU AI Act Cannot Be Enforced Through Existing Supervisory Instruments
An examination of the structural conflict between Regulation (EU) 2024/1689, the General Data Protection Regulation, and the Trade Secrets Directive — and the case for proof-based regulatory verification as the necessary architectural response.
I. Executive Summary
The AI Act establishes obligations for transparency, human oversight, and conformity assessment of high-risk AI systems. Simultaneously, GDPR mandates data minimisation and prohibits unnecessary disclosure of personal data, while the Trade Secrets Directive protects the proprietary architecture of AI models. These three regulatory instruments, when applied simultaneously to the same computational object, produce an enforcement condition that no existing supervisory method can satisfy.
This document identifies the structural nature of this deficit and introduces the ZKAP® (Zero-Knowledge Audit Protocol) methodology as an architectural response: a framework in which adherence to formalized rules — whether derived from law, regulation, technical standards, or ethics codes — is verified through cryptographic proof rather than through disclosure of protected information. The AI Act enforcement gap is the primary use case, but the methodology extends to any set of requirements encodable as polynomial constraints. The methodology is the subject of a pending patent application and is presented here at the conceptual level.
II. The Enforcement Gap
The three-body regulatory conflict
Consider a high-risk AI system deployed by a financial institution for credit scoring. Under the AI Act, the national competent authority must verify that this system satisfies the requirements of Articles 9–15: data governance, transparency, human oversight, accuracy, robustness, and cybersecurity. This verification presupposes access to, or meaningful inspection of, the system's operational logic.
However:
- GDPR (Article 5(1)(c), Article 9) prohibits the processing of personal data beyond what is strictly necessary. Disclosing training datasets containing personal financial records to an external auditor creates a new processing operation that requires independent legal basis — a basis that may not exist.
- The Trade Secrets Directive (Article 2) protects the neural network architecture, trained weights, and algorithmic logic as proprietary commercial assets. Compelled disclosure to a regulatory body, absent explicit legislative carve-out, may constitute unlawful interference with intellectual property rights.
- Cognitive impossibility at scale: For exascale systems operating beyond 1015 parameters, human inspection of decision logic is not merely impractical but physically impossible. No audit team, regardless of expertise, can evaluate the substantive correctness of a model whose internal state space exceeds human cognitive capacity.
The result is a condition of lex imperfecta — legislation that imposes obligations which the addressees cannot fulfil without violating other equally binding legal instruments. National competent authorities possess the legal mandate to supervise, but no technically viable means of doing so. Operators possess the legal obligation to demonstrate compliance, but no lawful mechanism for providing the evidence required.
Why existing approaches do not resolve this deficit
Explainable AI (XAI): Methods such as SHAP and LIME generate post-hoc approximations of model behaviour. These are descriptive, not evidentiary. An approximation does not constitute proof of compliance. Critically, explanation and accountability are not equivalent: a discriminatory system can be explained with precision. Furthermore, XAI methods do not function reliably at exascale — they produce what the literature describes as "semantic emptiness": extensive documentation that describes training methodology rather than operational decision logic.
Regulatory sandboxes (Article 57-62 AI Act): Sandboxes offer controlled environments for testing, but they are episodic and scope-limited. They do not address the continuous verification requirement for deployed systems. A sandbox cannot answer the question that Article 9(1) demands: is this system compliant at this moment in production?
Human oversight (Article 14): The Article 14 requirement for human oversight presupposes that a human operator can meaningfully intervene in the system's decision process. For systems processing millions of decisions per day, this presupposition is structurally unmet. The human-in-the-loop model becomes a formal compliance artefact rather than a substantive safeguard.
III. The Conceptual Response: Proof-Based Verification
If disclosure-based auditing is structurally unworkable for high-risk AI systems, the regulatory question becomes: is there an alternative that satisfies the substantive objectives of the AI Act without requiring disclosure of protected information?
The ZKAP® methodology proposes such an alternative. It is grounded in a well-established field of cryptography — zero-knowledge proof systems — which allow one party to demonstrate to another that a specific statement is true, without conveying any information beyond the truth of that statement.
Applied to the regulatory context, this principle enables a paradigm shift:
| Disclosure-based model | Proof-based model |
|---|---|
| "Open your system for inspection" | "Demonstrate that your system satisfies these specific regulatory predicates" |
| Requires access to training data, model weights, decision logic | Requires no access to any protected information |
| Conflicts with GDPR, Trade Secrets Directive | Compatible with all three regulatory instruments simultaneously |
| Produces subjective audit opinion | Produces verifiable mathematical certificate |
| Snapshot assessment (valid at time of audit) | Continuous verification capability |
| Scales linearly with human resources | Scales with computational infrastructure |
Under this model, the AI system operator generates a cryptographic certificate attesting that the system satisfies defined formalized requirements — whether those requirements originate from regulation, technical standards, ethics codes, or internal policies. Any arbitrary set of rules that can be formalized as polynomial equations can be integrated into the verification framework. The national competent authority verifies this certificate independently, without access to any proprietary or personal data. The certificate is either valid or invalid — there is no interpretive ambiguity.
IV. Institutional Implications
For the European Commission and EU AI Office
The AI Act's conformity assessment framework (Articles 40-49) does not specify the technical method by which conformity is to be demonstrated. This is a deliberate gap, intended to accommodate technological evolution. Proof-based verification offers a candidate methodology that can be incorporated into harmonised standards developed by CEN-CENELEC under the AI Act's standardisation mandate, without requiring legislative amendment.
For national competent authorities
National supervisory authorities face an asymmetry: they are mandated to supervise AI systems whose complexity vastly exceeds their technical inspection capacity. A proof-based framework redistributes the computational burden — the operator bears the cost of generating evidence of compliance, while the authority's verification cost is minimal. This is structurally analogous to the relationship between a taxpayer's obligation to file a return and the revenue authority's capacity to verify it.
For operators and deployers
Verification of adherence ceases to be an administrative bottleneck and becomes an operational procedure. The operator retains full control over proprietary technology. No training data, model architecture, or algorithmic logic is disclosed. The verification certificate becomes a market credential — a verifiable signal of adherence to formalized regulatory, technical, and ethical requirements.
For citizens and fundamental rights
Every day, individuals are subject to algorithmic decisions concerning credit, employment, healthcare, and administrative services. The current regulatory model provides no real-time guarantee that these decisions comply with the law. A proof-based approach provides exactly this: mathematical assurance that baseline legal protections have been applied, without requiring citizens to understand the underlying technology or to trust institutional assertions.
"By eliminating the need for constant suspicion and deciphering of informational noise, we return cognitive resources to where they belong. Sovereignty ceases to be a legal abstraction and becomes an automated guardian of individual integrity."
— Radoslav Y. Radoslavov, The Collapse of Transparency (forthcoming 2026)
V. The Economic Dimension
The current compliance model imposes costs that function as a structural barrier to market entry, disproportionately affecting SMEs and European innovators:
- Direct audit costs: Traditional conformity assessment for a single high-risk AI system requires thousands of expert hours. Current estimates range from EUR 9,500 to EUR 330,000 per system for initial assessment alone.
- Intellectual property exposure: Any disclosure-based audit creates a channel for IP leakage — the very act of demonstrating compliance risks compromising the commercial value of the asset being assessed.
- Time-to-market delay: The period between model readiness and regulatory clearance represents an opportunity cost during which competitors operating outside the EU's regulatory perimeter capture market share.
A proof-based framework transforms this cost structure. The operator invests in the capacity to generate compliance certificates — a one-time infrastructure cost — after which ongoing verification is automated. The regulatory authority's verification cost approaches zero. The aggregate effect is the transformation of the AI Act from a competitive disadvantage for EU industry into a market differentiator: a verifiable standard of trustworthiness that non-EU competitors cannot replicate.
VI. Acknowledged Limitations
The author considers intellectual honesty on the boundaries of this approach to be a precondition for institutional credibility:
- Formalisation is interpretation. Legal norms such as "proportionality," "fairness," and "reasonableness" cannot be reduced to mathematical predicates without an interpretive act. The quality of any verification system depends entirely on the quality of the rules it verifies. This is a human responsibility that no technology can replace.
- Verification of code compliance is not identical to verification of legal compliance. If the formalised rules are incomplete or unjust, the verification system will enforce them faithfully. The system is a tool, not a source of justice.
- Probabilistic systems require statistical treatment. AI models are inherently non-deterministic. Verification operates on distributional properties, not individual guarantees.
- The methodology does not replace judicial authority. Courts and regulators retain the final determination of lawfulness. Cryptographic evidence informs their decisions; it does not supplant them.
"ZKAP should not be perceived as a substitute for the court. The last word always remains with the human. ZKAP is a witness and a conscience — not a dictator."
— Radoslav Y. Radoslavov
VII. Intellectual Property Status
The technical implementation of the ZKAP® methodology is the subject of patent applications filed with the European Patent Office and the Bulgarian Patent Office (filing date: 30 March 2026). This document presents the conceptual framework and policy rationale only. The specific technical architecture, verification mechanisms, and computational processes are proprietary and are not disclosed in this publication.
Institutional stakeholders seeking access to the full technical specification are invited to request a confidential briefing under appropriate non-disclosure arrangements.
Request an Institutional Briefing
The full ZKAP® methodology — including the technical verification framework and regulatory integration architecture — is available to institutional stakeholders under confidentiality agreement.
Public Summary Request BriefingReferences
- [1] Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI Act)
- [2] Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
- [3] Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (Trade Secrets Directive)
- [4] Directive (EU) 2022/2555 on measures for a high common level of cybersecurity (NIS2)
- [5] Radoslavov, R.Y. (2025). “Management and Regulation of Artificial Intelligence Models: Concept for Transparency and Accountability in Administrative Activities.” Industry 4.0, Winter Session, Vol. 2, pp. 320–321. ISSN 2534-8582. [ResearchGate]
- [6] Radoslavov, R.Y. (2026). “Management and Regulation of AI Models in Public Administration: Cryptographic Transparency and Digitalization of Legal Norms.” Industry 4.0, 2026 (forthcoming). Presented at XI Intl. Sci. Conf. “High Technologies. Business. Society”, Borovets, 23–30 March 2026.
- [7] Radoslavov, R.Y. (2026). The Collapse of Transparency: How to Control Artificial Intelligence Through Cryptographic Regulation in the Era of Opaque Algorithms. Forthcoming.
- [7] European Commission, AI Act Implementation Timeline. artificialintelligenceact.eu